Security Configuration Tool Set • Chapter 5 193 5. Right-click the Security Settings node, and select Import Policy. Notice that the policies are template files with the .inf extension.You have the option of merging the template’s entries into the present OU’s security setup, or you can clear the present OU’s security settings and have them replaced by the settings in the imported template. Click Open to enact the new policy. You are not given the option to test the template settings against the present OU’s security configuration.The settings are enabled after you import the policy via the .inf file. Additional Security Policies The following are a few additional security policies of which you should be aware: ■ IPSec policy IPSec security policies can be configured and analyzed in the Security Configuration and Analysis snap-in. For more information on IPSec, see Chapter 7,“IP Security for Microsoft Windows 2000 Server.” ■ Public key policies Included in the public key policies are the encrypted data recovery agents, root certificates, and certificate trust lists. These topics are covered in detail in Chapter 9,“Microsoft Windows 2000 Public Key Infrastructure,” and Chapter 6,“Encrypting File System for Windows 2000.” www.syngress.com 181_SerSec2e_05 9/5/01 1:49 PM Page 193 194 Chapter 5 • Security Configuration Tool Set Summary The Security Configuration Tool Set introduces a new and more efficient way to manage security parameters in Windows 2000. Using this new set of configura- tion and management tools, the administrator can configure and manage the security policies for a single machine or an entire domain or organizational unit. The Tool Set includes the Security Configuration and Analysis snap-in, Security templates, the secedit.exe command-line tool, and the security settings extensions to the Group Policy Editor.Together, you can use these tools to create and configure security policies for local machines, domains, or OUs. The Security Configuration and Analysis snap-in allows the administrator to create a database with security configuration entries.These security configuration entries can be used to test against the existing security configuration of a local machine.After the security analysis is complete, the network manager can save the database entries into a text file with the .inf extension.This text file, which is a template consisting of security configuration entries, can be saved or imported in order to define the security definition of another local machine, a domain, or an OU. The security variables in the database can also be applied to the local machine, replacing the current security configuration.The new configuration is applied after the analysis is complete. Security configuration can be saved as templates, which are text files that con- tain security configuration information.These templates are imported into the Security Configuration and Analysis snap-in database for analysis and application. The Security Configuration and Analysis snap-in cannot be used to configure or analyze security configurations of a domain or OU.At present, there is no way to export extant domain or OU security configurations. However, you can con- figure the security of a domain or OU via the security settings Group Policy extensions. The secedit.exe command-line tool allows the administrator to script security analyses, security configurations, security updates, and export of templates. Its functionality is almost equal to that of the Security Configuration and Analysis snap-in, except that you must use the graphical interface to review the results of a security analysis performed by secedit.exe. An administrator can use the security settings Group Policy extensions to configure domain or OU security policy. In addition, you can import security templates directly into the domain or OU.You should do this with great caution if you have already customized the security settings for a domain or OU.At www.syngress.com 181_SerSec2e_05 9/5/01 1:49 PM Page 194 Security Configuration Tool Set • Chapter 5 195 present, you cannot export the previous settings into a template that might be restored later. However, if the administrator always reconfigures the security parameters of a domain or OU by using templates, such templates can always be restored in the future. Solutions Fast Track Security Configuration Tool Set ; The main components of the Security Configuration Tool Set are the Security Configuration and Analysis snap-in, the security settings extension to Group Policy, secedit.exe, and the Security Templates snap-in. ; The Security Configuration and Analysis snap-in creates, configures, and tests security scenarios.You can create text-based .inf files that contain security settings.You can apply these files to the computer or save them for later use. ; Microsoft provides templates for configuring security. Default and incremental templates are available. Default templates are applied during fresh installs and during upgrades from Windows 9x.The incremental templates provide additional security above the defaults. ; Secedit.exe allows us to configure security from the command prompt. ; The Security Templates snap-in allows us to view and customize the template files stored in %windir%\security\templates. Configuring Security ; Account policies define password policy, account lockout policy, and Kerberos policy. ; Local policies include the audit policy, user rights assignment, and security options. ; Event Log Configuration settings allow you to configure the length of time logs are retained as well as the size of the event logs. www.syngress.com 181_SerSec2e_05 9/5/01 1:49 PM Page 195 196 Chapter 5 • Security Configuration Tool Set ; The Restricted Groups setting configures group membership and group nesting. ; Registry Policy sets permissions on Registry keys. ; The File System Security setting configures NTFS permission for all local drives. ; The System Services setting controls the startup policy for all local services. Analyzing Security ; Compare security policies in the template with the actual state of the local machine.This practice allows administrators to see the differences before they apply the policy. ; Use Security Configuration and Analysis to view the results of an analysis. Group Policy Integration ; You can use the features of the Security Configuration Tool Set to configure group policies. ; Security policy can be edited in the Group Policy object. www.syngress.com 181_SerSec2e_05 9/5/01 1:49 PM Page 196 Security Configuration Tool Set • Chapter 5 197 Q: Can I use the Security Configuration and Analysis snap-in to analyze the security configuration of a domain or OU? A: Not at this time.This capability should be added in the future. However, at present, you can test scenarios against the current configuration for the local machine. Q: I would like to use scripts to analyze a number of computers in my domain. What tool would I use to accomplish this task? A:The secedit.exe command-line tool allows the administrator to analyze a number of machines by creating scripts that can be automated.You can then view the results of the analysis by opening the database file against which the analysis was run. Q: Why have the changes I made to the security policy on the local computer not taken effect? A: Effective policy depends on whether a computer is a member of a domain or an OU. Policy precedence flows in the order in which policies are applied. First the local policy is applied, then site policy is applied, then domain policy is applied, and finally OU policy is applied. If there are conflicts among the policies, the last policy applied prevails. Q: Can I migrate my Windows NT 4.0 policies to Windows 2000? A: No.The NT policies were stored in a .pol file, which included things such as group memberships.There is no way for the Windows 2000 Group Policy Model, which is centered on Active Directory, to interpret the entries in the .pol file. Microsoft recommends configuring the settings in the old .pol files in Active Directory.You can do this easily using the security settings extension to the Group Policy Editor.The Windows NT 4.0 .pol files were created by the www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the author of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 181_SerSec2e_05 9/5/01 1:49 PM Page 197 198 Chapter 5 • Security Configuration Tool Set System Policy Editor, which used .adm files as templates for the options con- figured in system policy.These files are compatible with Windows 2000 .adm files. However, you should not import these templates, because you might damage the registries of client machines.This means that after a Registry set- ting is set using Windows NT 4.0 .adm files, the setting will persist until the specified policy is reversed or the Registry itself is directly edited. Q: How do I reverse the changes I made after applying a security policy? A:There is no direct mechanism, such as an Undo button, that will allow you to reverse the changes. Before you enact any changes to the local computer policy, back up the present configuration by exporting the current settings to an .inf file.Then you can restore your system to its previous state by importing the .inf file into the database and reapplying the changes. www.syngress.com 181_SerSec2e_05 9/5/01 1:49 PM Page 198 Encrypting the File System for Windows 2000 Solutions in this chapter include: ■ Using the Encrypting File System ■ User Operations ■ EFS Architecture ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 6 199 181_SerSec2e_06 9/5/01 1:51 PM Page 199 200 Chapter 6 • Encrypting the File System for Windows 2000 Introduction Windows 2000 provides a new security feature by supporting file encryption. It will no longer be necessary to locate a third-party product to use in your Windows NT environment for data encryption. Because computers in general are more widely used and laptop use is at an all-time high, the concern over data security increases for everyone, not only the system administrator.The fact that you have implemented a firewall and that the Windows NT operating system includes mandatory logon and access control for files does not guarantee that your data is protected from unauthorized eyes.To keep your data from being viewed and/or modified by any unauthorized user, technology has now turned to the process of file encryption, which replaces physical security. If thieves want your data, they can achieve their goal in many ways.Tools on some other operating systems can access NTFS volumes while bypassing the access control supplied by NTFS. Furthermore, the lack of physical security allows laptops to be stolen easily. Laptops now come with removable hard drives. This is great for the thief, since there is less contraband to conceal.The laptop still appears on the desk, so the thief has more time to exit a building before any alarms go off.A desktop computer’s second hard drive can be missing by the next morning. The protection of data via physical security would be very easily implemented if all the rooms where equipment is used were locked and nothing were ever allowed to leave the room. Of course, this approach to data security has a tremen- dous negative side; portability comes to a screaming halt. Physical security is not really a solution in today’s world; the technological solution is file encryption. Many file encryption products currently offered on the market by third-party vendors are designed around password keys.This kind of encryption is not very secure, because the encrypted file can be hacked quickly by brute force. Security products that were available before Windows 2000 required the user to encrypt and decrypt files manually with each usage. Most users do not have the time to back up their hard drives daily, and it is just as difficult to make the time to encrypt or decrypt files. If encryption isn’t convenient for users, they probably won’t use it. On occasion, users encrypt a file and then forget the password.The third- party product can handle this major problem in one of two ways: the product can provide data recovery, or it cannot provide recovery.The more secure encryption software at the application level will not provide data recovery.The downside of this limitation becomes evident when a person is authorized, needs to get to the www.syngress.com 181_SerSec2e_06 9/5/01 1:51 PM Page 200 www.syngress.com data, and has forgotten the password. If the vendor did provide some form of data recovery, security is weakened, and the recovery code is now the system’s weak point. Some of the Windows 2000 Encrypting File System code runs down in pro- tected mode.The kernel mode must not be available to users, or the operating system will crash. Microsoft has built encryption into the operating system, making encrypted data more secure than ever before.The new feature of the Encrypting File System on Windows 2000 provides an element of security that Windows NT and third-party encryption software never approached in the past. Using the Encrypting File System The Encrypting File System supported in Windows 2000 is a new piece of secu- rity in the NTFS file system. Both public key encryption and secret key encryp- tion are implemented within the complete process, so data is encrypted quickly and in such a way that it can stand up against an attack from any cryptanalysts. U.S. customers who purchase Windows 2000 receive a 56-bit standard DES algo- rithm for implementation, but they can also obtain a 128-bit encryption DES algorithm. Until export approval is received, Microsoft will also have a 40-bit DES algorithm for all international customers. The encrypted file can be read by anyone with a private key that can decrypt the File Encryption Key. If a user leaves a company or if a user’s private key becomes corrupted or is accidentally deleted,Windows 2000 can implement data recovery.This might sound like a security weak spot, but data recovery in Windows 2000 is not a security weakness. Microsoft has written code to establish an Encrypted Data Recovery Policy (EDRP), which controls who can recover the data if the owner’s private key is lost or if an employee leaves the organiza- tion. In a workgroup environment,Windows 2000 automatically sets up the EDRP on the local machine. In a domain environment, the EDRP is set up in the domain policy by the system administrator, and computers belonging to the domain will receive the EDRP from that location. Encryption Fundamentals Encryption is the process of taking a plaintext file and processing it so that the original data is in a new ciphertext format.Typically the encryption process uses an algorithm and a secret value that is referred to as the key. Public key cryptog- raphy is designed so that each person has two keys: a public and a private key. Table 6.1 identifies the differences between these two keys. Encrypting the File System for Windows 2000 • Chapter 6 201 181_SerSec2e_06 9/5/01 1:51 PM Page 201 202 Chapter 6 • Encrypting the File System for Windows 2000 Table 6.1 Public and Private Keys Key Description Use Private Never made known to anyone but the user Decryption Public Known worldwide Encryption Public key cryptography is also known as asymmetric cryptography, since dif- ferent users employ different keys to encrypt and decrypt a file. Public key-based algorithms usually are on a very high security level, but they are considered slow. The basic processes of public key encryption and decryption are illustrated in Figure 6.1. Instead of the key pair, symmetric cryptography uses a single secret key. One popular method of symmetric cryptography is Data Encryption Standard (DES), which the National Bureau of Standards defined in 1977 for commercial and nonclassified use. Developed by a team of IBM engineers who used their Lucifer cipher and input from the National Security Agency, DES is an encryption algo- rithm that uses a 56-bit binary number key. Secret key algorithms are implemented quickly. Because the DES algorithm is the key that is used for both encrypting and decrypting data, this security mecha- nism is weak in its design. Figure 6.2 illustrates the secret key algorithm method. One major difference between symmetric and asymmetric algorithms is the number of keys that are used in the process. Public key algorithms use a key pair, www.syngress.com Figure 6.1 Public Key Encryption and Decryption Plaintext Plaintext Cipher Text Plaintext Public Key Plaintext Private Key Figure 6.2 Secret Key Algorithm Plaintext Plaintext Cipher Text Plaintext Secret Key Cipher Text Secret Key 181_SerSec2e_06 9/5/01 1:51 PM Page 202 [...]... point, both the sensitive data and the FEK are secured.The slow method of www.syngress.com 203 181_SerSec2e_06 2 04 9/5/01 1:51 PM Page 2 04 Chapter 6 • Encrypting the File System for Windows 2000 public key algorithm is not used on the large file.The final design of file encryption for Windows 2000 allows us to get the best from both encryption worlds Now it is time to pull all these loose ends together... Properties.You will see the window shown in Figure 6.11 www.syngress.com 213 181_SerSec2e_06 2 14 9/5/01 1:51 PM Page 2 14 Chapter 6 • Encrypting the File System for Windows 2000 Figure 6.10 Active Directory Users and Computers Figure 6.11 The Group Policy Tab of the Domain’s Properties 3 Click the Group Policy tab 4 Select Default Domain Policy, and click Edit.You will see the window shown in Figure 6.12... on Windows 2000 Let’s examine this involvement www.syngress.com 221 181_SerSec2e_06 222 9/5/01 1:51 PM Page 222 Chapter 6 • Encrypting the File System for Windows 2000 EFS Components In order to understand the entire encryption/decryption process, you need to look at the Windows 2000 operating system architecture Keeping the same structure as previous releases of Windows NT, the Windows 2000 structure... 210 Chapter 6 • Encrypting the File System for Windows 2000 Decrypting a File Decryption is never a necessary request by the user after the file is encrypted, as long as only that user needs to access the file.That does not mean that the decryption process will never occur on Windows 2000. The decryption process does occur in two instances:The Windows 2000 Encrypting File System goes through the decryption... Windows 2000 shown in Figure 6.5) explaining how far down in the directory structure encryption should be set.You will see the window shown in Figure 6.6 while encryption is taking place.This window gives you an estimated time of encryption completion Figure 6.5 Confirming Attribute Changes Figure 6.6 Applying Attributes Any compressed or system file cannot be encrypted under Windows 2000 With the Windows 2000. .. 216 9/5/01 1:51 PM Page 216 Chapter 6 • Encrypting the File System for Windows 2000 10 Click Next to continue the wizard 11 Figure 6. 14 shows the Certificate Template window.This is where we pick the type of certificate that we want Select EFS Recovery Agent, and click Next.You will see the screen shown in Figure 6.15 Figure 6. 14 The Certificate Template Window Figure 6.15 The Description Window 12 Enter... When the copy command is used without the /E or /I switch,Windows 2000 will first decrypt the file and then make a copy in plain text.The original encrypted file is still encrypted on the hard drive www.syngress.com 181_SerSec2e_06 9/5/01 1:51 PM Page 209 Encrypting the File System for Windows 2000 • Chapter 6 The Copy Command The Windows 2000 operating system adds to the copy command by including two new... security at all On Windows 2000, when the Encrypting File System is implemented, some of the activity occurs in each of these two modes In earlier versions of the Windows NT operating system, the Local Security Authority Subsystem (LSASS) was in user mode.With Windows 2000, this subsystem takes on additional tasks and includes some additional functions for the Local Security Authority Server in order for... Figure 6. 24 shows both old and new components Figure 6. 24 EFS Components LSASS LSASRV User Mode EFS Fuctions Microsoft Cryptographic Provider 1.0 Application Registered Encrypted File Access EFS Callouts Kernel Mode KSecDD EFS NTFS These are new, key components of the Encrypting File System: s EFS driver EFS is really a device driver connected with the NTFS driver, both of which run in Windows 2000 s... file has created or opened a file for an application, the NTFS driver needs the EfsFilePostCreate EFS Callback function’s help www.syngress.com 223 181_SerSec2e_06 2 24 9/5/01 1:51 PM Page 2 24 Chapter 6 • Encrypting the File System for Windows 2000 s s s s EfsFileControl and EfsFsControl When a user modifies the file’s encryption settings, the NTFS driver makes a request for the EFS Callback functions, EfsFileControl . 9,“Microsoft Windows 2000 Public Key Infrastructure,” and Chapter 6,“Encrypting File System for Windows 2000. ” www.syngress.com 181_SerSec2e_05 9/5/01 1 :49 PM Page 193 1 94 Chapter 5 • Security. migrate my Windows NT 4. 0 policies to Windows 2000? A: No.The NT policies were stored in a .pol file, which included things such as group memberships.There is no way for the Windows 2000 Group Policy Model,. 1:51 PM Page 203 2 04 Chapter 6 • Encrypting the File System for Windows 2000 public key algorithm is not used on the large file.The final design of file encryp- tion for Windows 2000 allows us to